The method used to crack the validation is dead simple – it can be done by anyone with a text editor. It only involves copying reciept and info.plist data from a free app and pasting it into a paid app. Getting the app itself is not difficult – people can get it from torrents or copy from their friends etc. Instructions on how to crack can be found here. (We do not encourage piracy. We have linked to the how-to hack only for those interested in seeing how the crack works.) This method will not work for all all paid apps though.
So, who is to blame for this fiasco? Well, first of all it is the app developer’s fault for not validating the receipt. The apps on which this crack works seems to be merely checking if there is a receipt and not actually validating it. And secondly Apple is to partly blame as well. Their process of validating the receipt is too complex and confusing. And it seems like their documentation also instructs developers to validate against data external to the binary and stored as plain text.
So if you are a developer, you may have to look at the security logic of your paid app. CraftyMind has some instructions on how you can do it. It basically involves hardcoding the identifiers into the app.